Why to use .PEM file in ssh process

So I come from windows background and new to SSh. We are in Linux environment now and as much as I like SSh and see its benefits, what I have realized is that it can be implemented in different ways. Now, for the longest times, we have been using ssh with public/privte key which works exactly like how it is described in this digital ocean article

Basically,

  1. We used key-gen with our email to create a private/public key and then copied .PUB file to the server
  2. Just keep on ssh-ing to the server without having to enter any password

Now, I came across another model where another team uses this .pem file and they have to use this .pem file to ssh to the server every time. According to them, it is more secure. To me, it’s just more work. Anyways, my question is simple

  1. What is benefit of using .Pem file?
  2. How is it better than the ssh model that we are using?

How can I add a .pem private key fingerprint entry to known_hosts before connecting with ssh?

I have host A in AWS as an EC2 instance.

I a private key embedded in a .PEM file that I can use to host A with SSH key Z. This works if I pass it to the ssh command using the -l argument, AND if I turn off strict host checking with -o StrictHostKeyChecking=no.

I would strongly prefer to leave strict host checking on even though I “know” this is the correct host because I’m interacting with the AWS interface, getting the ip/dns from them, and I’m inside of my own little VPC world.

It seems like the only way to provide the fingerprint -> host mapping is by providing it in a known_hosts file.

Is that correct?

If that is correct, how can I take the private key embedded in the .PEM file that I have from AWS and build the correct entry for the single fingerprint -> host mapping for a temporary known_hosts file that I can read when I’m logging into the EC2 instance?

WHAT I DO NOT WANT TO DO

  • Use ssh-keyscan. All this does is blindly accept the fingerprint of the remote client without validating that it matches with the key. I think?
  • Turn off StrictHostKeyChecking. I want to establish good practices early, and I need to know how to do this now, because I’m going to need to know how to do this in general. (By this I mean how to use SSH fingerprints to validate the identity of the host I’m connecting to, based on the key that I have.)
  • Mess around with ssh-add. I want to write this to a file that’s easy to lockdown access to, not put it into a running process.

Convert ASN.1 key to openssl .pem to decrypt a message encoded in hex?

I have an ASN.1 type key:

308204a40201000282010100b3b77eb538f617a8441cdcf1fb133c1e73156894f1e049402d5c3ca7c74b69c6a8e81913dcfaeaee3e46bee05934ed21c23adc989729c189bf791da75b596ef41a325938205399ec0ca3aceea90238f3589b5b8427f8bae78b801e65d00a4fdd4905bfc650a79d596034b3dc20fd894202a9f718799d742e7df5defde553e3ab8e952e0f3047f73fe1e1c8ca8a66536cf2f0746a0f607de6dba0a8e3570ef83c03420a919a950a5a007597bf2f5cac8d096f3cacb0ca228a73500dd2bd08451effb7ab00c07d92f22607a740a394506a085ab0fb5627a20e6fbf122a9ab369ee2fb61c983620d848a72b16047f265468369ac449e9b4f07361af8e1019df7d570203010001028201010099ee83a329a4efe27a64d6829571863ef687d1ca31dad0231e3730e4ec7915a2c92df3bce5bc2dd9de91ae106f983bbc7ca6fa27e0e22d19955d621ee4c997959192aa84be7b9d0d684e11636273bae004771d4df706bee070c64e431a8c9a978962593ebdfab375c8479bfee26b0753f90027db58df9a91efe5d7185583232f6edaba4d2c6c797ff177eed7e6ee6424adc3af8352e61134265522f0a1334761845231e6708b630caf0ca24a77f597b3ec2e038172017f66b1e76c1cd99d2b5a6a29faab9ba42a89ec44b1ff20ee606f9e7f9556bd9a74e5c1b83d87317f2008ca7790b4f0218292f484ca40a3c3d64c541634bbcc903f1c2cac5971a6f957f102818100bf54486569e2ff77a4fad4e97efd0048978b1d2d5e7b4221c3def2ad6ca0427af42bbf592cf2439048d90eff248810ebf6faf67851c4b1c7dd646f5372e6e9eb46360f737cedba2cc0b5a288ceefcf408e576e8352c990c2470a363085328b4a76732c39251a16ba7d37e0ac14bcec879081214bbdb543acecb31a7d3e670f8502818100f07662fee84a2e05e6997a28dfacbbc160417640cb285d223626b656e0e6c22309d5adef3888b38ad172017d467453ee53e831e2a877f7836aa1a5c19e7443142d5c1dcafc092a2f5c3951458ee0c9cfa153f8eefe22b94e51608e98bd5b3609a3c9f870f09e08c7830df749d96bf0eded633fb1318da083bf2a440fec48fa2b0281804764e4eaeadb28a6f5aa1f9ecda30ce309a1808eb86dd81c8f61773edd84e3a9cbc9334acc69ce6a5db49952fdc7c440b8d5a6f8f8d223e0c7ad3d996f0bd987d09845a5bb9d5dd66b469bd2df1d3f42009b81828176f38c7b43c53acfc92f8ee6aa4d7b396c05c52b0a99ccbca44ec2bb5a6419463e0875d39175b5fc7e2a9d02818042946500b38ca68597bdf32712179fbd014bded43dec252d6dd4f633c3fde0cf16d00562f14258841d4df5bf9c1c6588ddceb2d15158363e3aee1b192b2881d23a650112cd0a3495fc711a61aa17ef88ffe06252ba271f2be2385c034a9ad0b1869a4ba1e9ddb80c95eaee07929de28dde66d6a1d758a193190138eb37bf5515028181008d99f0f0beffa8fad237540ed70199de7c6d9324505174115e41031957ec2999017e8b1c7d5f9889a62fe78e1d532dc5ef41fa694e49aca5d52987d8f70f96413506e4714e11006dbcec3c318d6211de7f8548b4b37abedd2b2f96b367b0ebcfd0166c6582a660ce9f79b74ef83bb0bbc87604fdefc3b2bfcb1215b2f9ca1d35 

And an hex encoded? I think, message:

4c0605e901b09d75c5f5befe7438d7246f988531cc7a39a59f24b9488d47dfae9fc8beb5117f34a316f9380607bf239ba6eca84da47a12d720986a8a0100a7e9d7028d7e423557055b9e250f271d6436018c58e79a8f26bac10768776f06dc1786dd7428b3c445b8993e884630b36cb2d300fa5dc1fe0eba9e433062d9d8a58f33bf6f93aa37298a5703ccbf71c93adea447f018e9f75bb43dbc528cfc9bed865a9ba43f926071dabc89ccca2e000f1a966855cc9816e45c0113edb55a700198d346a90487b5ff1191994973eb1b5252b22c6410aa70ea4e9c3ebd468ef273d7cf9d15b5824244cd25f252886d1edfe2d6f2caa5d5e00fd84597e3de192db41b 

I want to decrypt the message using the key, how is that possible?